Two factor authentication with authentication objects

ABSTRACT

Representations of authentication objects are provided for selection via an interface. An authentication object may be generated to include information obtained from one or more sensors of a device. A selected authentication object may contain information sufficient for authentication with a corresponding system. The interface may provide multiple representations of authentication objects that are usable with different service providers. The interface, executed by a first device, may be configured to authenticate a second device.

BACKGROUND

The security of computing resources and associated data is of highimportance in many contexts. As an example, organizations often utilizenetworks of computing devices to provide a robust set of services totheir users. Networks often span multiple geographic boundaries andoften connect with other networks. An organization, for example, maysupport its operations using both internal networks of computingresources and computing resources managed by others. Computers of theorganization, for instance, may communicate with computers of otherorganizations to access and/or provide data while using services ofanother organization. In many instances, organizations configure andoperate remote networks using hardware managed by other organizations,thereby reducing infrastructure costs and achieving other advantages.With such configurations of computing resources, ensuring that access tothe resources and the data they hold is secure can be challenging,especially as the size and complexity of such configurations grow.

To enhance data security, numerous techniques have been developed. Forexample, the use of username and password combinations has becomeubiquitous in various access control contexts. Additional techniques arealso often used in addition to or instead of usernames and passwords. Acommon issue encountered with conventional authentication techniques isthe tradeoff between security and usability. For example, passwords areoften subject to stringent requirements to cause users to selectpasswords that are difficult to guess, either by automated processes orhuman operators. Such requirements may, for instance, require minimumnumbers of capital letters, numbers and non-alphanumeric symbols. Whilesuch stringent requirements theoretically produce advantages for datasecurity, they often have adverse effects. Stringent requirements, forinstance, often make passwords difficult to remember, especially whenrequirements differ for different systems that each require a passwordfor access. In many instances, users may engage in unsecure behavior tocounteract the difficulties encountered in conventional access controlsystems. Users may, for example, write down or insecurely storepasswords as a result of the difficulty of remembering them.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments in accordance with the present disclosure will bedescribed with reference to the drawings, in which:

FIG. 1 shows a diagram illustrating various aspects of the presentdisclosure;

FIG. 2 shows another diagram illustrating various aspects of the presentdisclosure;

FIG. 3 shows an illustrative example of an environment in which variousembodiments may be practiced;

FIG. 4 shows a diagram illustrating a configuration of an exampleauthentication object in accordance with at least one embodiment;

FIG. 5 shows an illustrative example of how a mobile device or otherdevice may be user to provide additional authentication in accordancewith at least one embodiment;

FIGS. 6A and 6B show an illustrative example of messages exchangedduring a two factor authentication process in accordance with at leaston embodiment;

FIG. 7 shows an illustrative example of a process for providing anauthentication object using two factor authentication in accordance withat least one embodiment;

FIG. 8 shows an illustrative example of how a mobile device or otherdevice may be user to provide additional authentication in accordancewith at least one embodiment;

FIG. 9 shows an illustrative example of components of a computing devicein accordance with at least one embodiment; and

FIG. 10 illustrates an environment in which various embodiments can beimplemented.

DETAILED DESCRIPTION

In the following description, various embodiments will be described. Forpurposes of explanation, specific configurations and details are setforth in order to provide a thorough understanding of the embodiments.However, it will also be apparent to one skilled in the art that theembodiments may be practiced without the specific details. Furthermore,well-known features may be omitted or simplified in order not to obscurethe embodiment being described.

Techniques described and suggested herein allow for increased datasecurity while achieving a better user experience. In some embodiments,a graphical user interface allows for easy use of access credentials togain access for which providing valid credentials is a prerequisite. Forexample, a user may utilize the graphical user interface to log in to awebsite to gain access to information and/or services of the website,although the techniques of the present disclosure are applicable inother contexts where credentials may be required for access (such as foraccess to functionality of a user interface usable to control homeautomation features). In some examples, the graphical user interfaceprovides the user the ability to select a representation of anauthentication object from a set of authentication objects and indicatethat the selected authentication object is to be used forauthentication. An authentication object, as described in more detailbelow, may be a collection of information forming an authenticationclaim that is necessary and/or sufficient for authentication to a systemfor which authentication is required for at least some access. As anillustrative example, an authentication object may be an encoding of ausername and password combination and possibly other informationnecessary and/or sufficient for authentication. Other examples ofinformation that may be included in an authentication object aredescribed in more detail below. A representation of an authenticationobject may be a graphical element or collection of graphical elements ofthe graphical user interface that corresponds or collectively correspondto the authentication object. In other words, a representation of anauthentication object may represent a set of actions for authenticatingan identity. The actions, as discussed in more detail below, may includeobtaining information for an authentication claim and/or submitting anauthentication claim to a service provider. As an example, arepresentation of an authentication object may be an icon that visuallyindicates the authentication object. The representation may, forexample, be visually distinguishable from other representations on thegraphical user interface. It should be noted that while visualrepresentations on a graphical user interface are used throughout forthe purpose of illustration, other representations that invoke humansenses in addition to or alternatively to sight are also considered asbeing within the scope of the present disclosure.

As noted above, in various embodiments, a user is able to select arepresentation of an authentication object from the graphical userinterface and indicate, through the same input or separate inputs, thatthe corresponding authentication object is to be used forauthentication. As such, the user may use a representation of anauthentication object to authenticate with a system without having tomanually input some or all authentication information. As one example,the graphical user interface may be configured such that a drag and dropoperation of the representation of the authentication object into aparticular area of the graphical user interface can be used to selectthe representation and indicate that the authentication object is to beused for authentication. As another example, selection of therepresentation from a drop-down or pop-up menu of the graphical userinterface may be used to select the representation and selection of abutton corresponding to the menu may be used to indicate that theauthentication object is to be used for authentication. Generally,numerous ways of selecting a representation of an authentication objectand indicating that the authentication object is to be used forauthentication are considered as being within the scope of the presentdisclosure. Further selection of the representation of theauthentication object and indicating that the authentication object isto be used for authentication may be performed as a single operationwhere selection of the representation simultaneously serves to indicatethat the authentication object is to be used for authentication.

Once an authentication object has been selected (e.g., by selection ofthe authentication object's representation in a graphical userinterface), the authentication object may be provided to a system forwhich the authentication object is sufficient and/or necessary forauthentication. In some embodiments, the selected authentication objectis configured to be provided prior to selection of the authenticationobject. For example, the authentication object may be stored in memoryof a computer system providing the graphical user interface and accessedfrom memory to be provided for authentication. In some embodiments, theauthentication object is generated after a user indicates that theauthentication object is to be used for authentication, such as byselecting a corresponding representation of the authentication object.To generate the authentication object (either before or after a userindicates that the authentication object is to be used forauthentication, as appropriate for the particular embodiment beingimplemented), information may be obtained and the obtained informationmay be used to generate the authentication object.

In some embodiments, the authentication object is generated to becryptographically verifiable by the system to which the authenticationobject is to be provided or another system that operates in conjunctionwith the system to which the authentication object is to be provided.For example, the authentication object may be encrypted so as to bedecryptable by the system that will cryptographically verify theauthentication object, where the ability to decrypt the authenticationobject serves as cryptographic verification of the authenticationobject. As another example, the authentication object may be digitallysigned (thereby producing a digital signature of the authenticationobject) such that the digital signature is verifiable by the system thatwill cryptographically verify the authentication object. In otherexamples, both encryption and digital signatures are used forcryptographic verifiability (and security). The key used to encryptand/or digitally sign the authentication object may vary in accordancewith various embodiments and the same key is not necessarily used forboth encryption and digital signing, where applicable. In someembodiments, a key used to encrypt an authentication object is a publickey of a public/private key pair where the private key of the key pairis maintained securely by the system to which the authentication objectis to be provided, thereby enabling the system to decrypt theauthentication object using the private key of the key pair. Using thepublic key to encrypt the authentication object may include generating asymmetric key, using the symmetric key to encrypt the authenticationobject, and encrypting the symmetric key using the public key, where theencrypted symmetric key is provided to a system with the encryptedauthentication object to enable the system to use the correspondingprivate key to decrypt the symmetric key and use the decrypted symmetrickey to decrypt the authentication object. Further, in some embodiments,the authentication object is digitally signed using a private key of apublic/private key pair corresponding to the computer system thatencrypts and/or digitally signs the authentication object (e.g., theuser's computing device). For example, an application that managesauthentication objects may be provisioned with the private key and theauthentication object may include a certificate for the private key foruse by a system for verification of the digital signature of theauthentication object. Other variations, including variations where asymmetric key shared between the user's computer system and the systemthat cryptographically verifies the authentication object is used toencrypt and/or digitally sign the authentication object.

As noted, various types of information may be obtained to generate theauthentication object. Such information may include authenticationcredentials, such as a username and password and/or information derivedtherefrom (e.g., a hash of a username and/or password) and/or othercredential information. In some embodiments, the information obtainedincludes an attestation to the state of a computing environment in whichthe authentication object is selected. For example, the attestation mayindicate that an authentication object manager application is unaltered,that a computer system on which the application object manager executeshas a particular anti-virus software application installed, that theanti-virus software application has received a recent update, that anoperating system of the computer system has had a particular updateapplied, or otherwise that the computer system of the authenticationobject manager is in a state in which the computer system is required tobe in for the authentication object to be successfully used.

Further, in some embodiments, the information obtained includes anattestation to one or more sensor measurements that have been made byone or more sensors of the device on which the authentication managerapplication is executed. For example, the attestation may indicate thatan accelerometer has measured at least a threshold amount of movementover a time period. As another example, an attestation may indicate thata global positioning service (GPS) sensor has been used to determine aparticular location of a device, such as through the use of in theattestation. Attestations to data collected using one or more othersensors including, but not limited to, microphones and cameras are alsoconsidered as being within the scope of the present disclosure.

In some embodiments, authentication objects are used to distinguishhuman users (human operators) from automated agents (often referred toas bots), such as automated agents that, in an automated fashion,transmit and receive information to navigate a website for variouspurposes, such as the collection of information from the website. Forexample, an authentication object may encode a solution to a test(puzzle) configured to be easier for human users to solve than forautomated agents. The test may be, for example, a completely automatedpublic Turing test to tell computers and humans apart (CAPTCHA) test. Insome embodiments, a user is able to interact with a user interface toinput a solution to a test and perform a drag and drop operation of aproposed solution to the test to submit the proposed solution. Theproposed solution may be encoded in an authentication object withadditional information, such as described above. In this manner, systemsrelying on such tests may utilize the enhanced usability provided byauthentication objects while still being able to mitigate the effects ofautomated agents.

In some embodiments, the authentication object manager may be executedby a second device and may enable a first device to access one or morerestricted computing resources using an authentication object of theauthentication object manager executed by the second device. Forexample, the user may attempt to access restricted resources of theservice provider on the user's desktop computer, the service providermay require additional authentication in order to enable the user accessto the restricted resources through the desktop computer. A prompt maythen be displayed on the second device executing the authenticationobject manager, such as the user's mobile phone, the prompt may enablethe user to select the appropriate authentication object to enable theuser's desktop computer access to the restricted resources of theservice provider. The second device may provide the authenticationobject directly to the first device requiring additional authenticationor the second device may provide the authentication object directly tothe service provider requesting the additional authentication. The firstdevice may use all or part of the authentication object in order to gainaccess to the one or more restricted resources. For example, theauthentication object received from the second device may include a hashof a password and GPS coordinates, the first device may simply providethe service provider with the GPS coordinates in order to gain access tothe requested resources.

The second device may capture and/or obtain information using one ormore sensors as described above. An attestation of the sensorinformation obtained by the second device may be included in theauthentication object. Furthermore, the second device may performadditional processing of the sensor information, such as facerecognition, pattern recognition, geo-fencing or other processing of thesensor data suitable for providing information usable in authentication.Once the second device has obtain the sensor information, the seconddevice may process the data in order to determine if the sensorinformation is valid. For example, the second device may check the GPScoordinates in order to determine if the second device is in therequired location. Additionally a trusted platform module (TPM) or othercryptographic module included in the second device may generate anattestation to the sensor information obtained by the second device. Forexample, the second device may include a mobile phone with a pluralityof cameras, the cameras may capture the user's hand and otherinformation about the environment as the user performs a drag and dropoperation on the second device. The attestation of the informationcollected by the cameras may be included in the authentication objectand provided to the first device in order to enable the first deviceaccess to restricted resources based at least in part on theauthentication object. Furthermore, the attestation of the sensorinformation may include information corresponding to the type of sensorresponsible for capturing the sensor information. For example, theattestation may include the type of fingerprint reader included in thesecond device and used to collect biometric information from the user ofthe second device. In various embodiments, the sensor information may beincluded in the authentication object with or without attestation. Theauthentication object may also include the attestation without includingthe sensor information collected by the second device corresponding tothe attestation. The authentication requirements of the authenticationobject manager or the system requiring two factor authentication may bemodified based at least in part on the type of sensors used.

The authentication manager may include information in the authenticationobject based at least in part on a device that is not executing theauthentication manager. For example, the second device including theplurality of cameras may capture a one-time password (OTP) obtained froma one-time password token and the captured OTP may be included in theauthentication object. The two factor authentication process may beinvoked or caused to be invoked by the authentication object manager butthe authentication object may be authenticated by a different system,such as the system receiving the authentication claim or a systemdesignated by the system receiving the authentication claim. Forexample, an authentication object may be authenticated by an identityprovider designated by the service provider.

FIG. 1 shows a diagram 100 illustrating various aspects of the presentdisclosure. In the illustrated embodiment, the diagram 100 shows agraphical user interface generated by an application which, in thisexample, is an interface of a browser application 102, although othertypes of applications may provide a graphical user interface. Thebrowser application may be executed on a computing device such as apersonal computer, notebook computer, tablet computer, mobile phone orother device. Executable code for generating the graphical userinterface may be application code stored locally on a device executingthe application or, as typical with browser applications, the code maybe generated remotely and transmitted to the device executing theapplication to be executed with the code of the browser application. Itshould be noted however that various aspects of the present disclosureare applicable to other types of interfaces and are not limited to thoseprovided through browser applications. For example, techniques of thepresent disclosure may be utilized in connection with mobileapplications on a mobile device that utilizes network communications. Inthe illustrative example of FIG. 1, the browser application displays aweb page 104 provided by a service provider 106. The service provider106 may for example operate a collection of computing devices, includingone or more web servers, to provide the web page 104 to various users.The service provider 106 may transmit the web page 104 in the form ofone or more hypertext markup language (HTML) documents or otherdocuments or collection of documents that are processed by the browserapplication 102 to display the web page 104 on a display device of acomputer system on which the browser application 102 is executed.

The service provider 106 may require a user to log in or otherwiseauthenticate an identity of the user in order to access certainresources of the service provider. The web page 104 may contain a signin screen or area 116 of the web page 104 usable for authentication.Additionally, the service provider may require authenticationinformation from another device before allowing access to the computingdevice executing the browser application 102. In various embodiments, amobile device 112 is used to provide authentication information useablefor accessing one or more resources of the service provider 106. Theauthentication object manager 108 may transmit a request to the mobiledevice 112 for the authentication information. The authentication objectmanager 108 may be configured such that access to representations 118,120, 122 of corresponding authentication objects is restricted until theauthentication information is received from the mobile device 112.Accordingly, as illustrated in FIG. 1, one state of the display of themobile device 112 may include an authentication screen 126. Theauthentication screen 126 may, for example, include a personalidentification number (PIN) field 114 and a submit button 124 to enablea user to submit credentials input into the PIN field 114 using akeyboard 110 of the mobile device 112.

The authentication information may be any information obtained by themobile device either by user input or one or more sensors and/or othercomponents of the mobile device 112. For example, the authenticationinformation may be a hash of the PIN entered by the user in the PINfield 114. The hash of the PIN may then be verified by theauthentication object manager 108 before access to representations 118,120, 122 of corresponding authentication objects is enabled. In variousembodiments, the mobile device 112 may execute a second authenticationobject manager and may provide authentication information by at leastreceiving the user's selection of a representation corresponding to anauthentication object. The mobile device 112 may also obtain informationcorresponding to a state of the computing environment which the mobiledevice 112 is in. For example, the mobile device 112 may collectinformation about one or more local area network and/or device attachedto the one or more local area networks. The mobile device 112 may alsocapture information corresponding to the state of the computingenvironment using one or more sensors included in the mobile device 112.For example, the mobile device 112 may capture one or more images usingcameras included in the mobile device 112. In another example, themobile device 112 may record a user finger-print using a finger-printscanner included in the mobile device 112. The authenticationinformation provided by the mobile device 112 may be verified by theauthentication object manager 108, another component of the mobiledevice 112, the service provider and/or component thereof, or anycombination thereof. Once the authentication information is successfullyverified, the authentication object manager 108 may then enable accessto representations 118, 120, 122 of corresponding authentication objectson the computing device executing the browser application 102.

As illustrated in FIG. 1, an authentication object manager 108 isdisplayed with the browser application 102 (i.e., a displaycorresponding to execution of the authentication object manager 108 isshown with a display corresponding to execution of the browserapplication 102). The authentication object manager 108, as discussed inmore detail below, may be implemented in various ways in accordance withvarious embodiments. For example, the authentication object manager 108may be an application, separate from the browser application 102,executing on the computer system that executes the browser application102. In some examples, the authentication object manager 108 is a pluginapplication of the browser application 102 and configured to operate inconjunction with the browser application 102, such as described in moredetail below. As illustrated in FIG. 1, in an embodiment, theauthentication object manager 108 provides access to a set ofauthentication objects. To provide access to a set of authenticationobjects, as illustrated in FIG. 1, the authentication object manager,for one or more authentication objects, provides for display of arepresentation of an authentication object to which access is provided.As illustrated in FIG. 1, for example, the authentication object manager108 provides for display representations 118, 120, 122 of correspondingauthentication objects.

In some embodiments, the authentication information from the mobiledevice 112 is transmitted directly to the service provider 106 and isseparate from the authentication object 118. The computer systemexecuting the browser application 102 may also submit the authenticationobject separate from the authentication information and the serviceprovider 106 may verify information contained in the authenticationobject corresponding to the representation 118 and the authenticationinformation provided by the mobile device 112. If verification by theservice provider 106 is successful, the service provider may provideaccess for which presentation of the authentication object correspondingto the representation 118 is sufficient and/or enable an operation to beexecuted by the computing device executing the browser application 102.Additionally, the mobile device 112 may provide the authenticationinformation to the service provider 106 and the service provider maytransmit a push notification to the computing device executing thebrowser application 102 indicating a result of verifying theauthentication information from the mobile device 112.

An authentication object, in an embodiment, is a collection ofinformation sufficient and/or necessary for access to one or moreservice provider systems. The information for example may comprisecredentials usable for access to a service provider system. In oneexample, an authentication object encodes a username and a passwordwhere the username and password are sufficient for access to the serviceprovider system. In this example the username and password may becredentials of a user on behalf of whom the authentication object ispresented, such as described in more detail below. In other embodimentsan authentication object may encode credentials not of the user, but ofthe authentication object manager, where one or more processes have beenperformed to enable the service provider system to associate credentialsof the authentication object manager 108 with credentials of a user,thereby enabling the authentication object manager 108 to authenticateon behalf of the user. In this manner, an authentication objectpresented to the service provider 106 may encode one or more credentialsof the authentication object manager and, by virtue of those credentialsbeing valid, the service provider may allow the user to obtain access toinformation provided by the service provider 106.

In some embodiments, each authentication object 118, 120, 122 is usablefor authentication with a different service provider. To authenticatewith a particular service provider, a user may select a representationof an authentication object corresponding to that service provider.Multiple different authentication objects may be used with the sameservice provider, in some embodiments. In some examples, differentauthentication objects are usable for different types of access to asystem of a service provider. A first authentication object may, forinstance, be usable for general authentication. A second authenticationobject may be usable to complete a commercial transaction (e.g.,purchase of one or more items offered for consumption in an electronicmarketplace). A third authentication object may be usable to change apassword and/or other account settings. Other examples are alsoconsidered as being within the scope of the present disclosure.

Further, in some embodiments, authentication objects associated with oneservice provider may be usable with other service providers. Forinstance, an authentication object associated with a social networkingservice may be usable with a provider of an electronic marketplace toenable a user to link a marketplace account with a social networkaccount without being burdened with having to enter credentials for bothproviders at the time the user directs the link to be established. Asyet another example of variations considered as being within the scopeof the present disclosure, an authentication object manager may beconfigured with programming logic to detect what authentication objectsare usable with a particular service provider, select thoseauthentication objects from a set of authentication objects thatincludes one or more authentication objects unusable with the serviceprovider, and provide representations of the selected authenticationobjects (excluding the unusable authentication objects) to make useridentification of a suitable authentication object easier.

Other variations include embodiments where authentication objects areaggregated into a single object, such as by aggregating the informationcontained in the individual authentication objects and/or by wrappingindividual authentication objects in another authentication object. Suchembodiments may be used, for example, instances where credentials formultiple providers are needed, such as the example above regardinglinking accounts of different providers.

As illustrated in FIG. 1, in various embodiments, the authenticationobject manager allows for user selection of a representation of anauthentication object and for indication of the selected authenticationobject to be used for authentication. In the particular illustrativeexample of FIG. 1, a user has selected a representation 118 of anauthentication object thereby selecting the corresponding authenticationobject. In this example, the user may indicate that the selectedauthentication object corresponding to the selected representation 118is to be used for authentication by performing a drag and drop operationfrom an area of the display of the authentication object manager 108 toan area 116 of the web page 104 usable for authentication. The drag anddrop operation may be performed, for example, by placing a cursor on therepresentation 118 holding a mouse button, such as a left mouse buttonshould a mouse device have two buttons, and moving the mouse so that therepresentation 118 moves on the display from the authentication objectmanager 108 to the area 116 for authentication, and releasing the buttonwhen the representation 118 is at least mostly within the area 116. Itshould be noted, however, that the particular method by whichauthentication objects are selected and indicated for use inauthentication may vary in accordance with various embodiments and inaccordance with the various types of interfaces used. For example, insome embodiments interaction with a touch screen may cause arepresentation of an authentication object to be moved from theauthentication object manager 108 to the area 116 for authentication. Asanother example, the authentication manager may provide representationsin the form of a drop down list, popup menu or other graphical userinterface element that enables selection of the representation.Generally, any way by which a representation of an authentication objectmay be selected and indicated for use in authentication may be used andthe scope of the present disclosure is not limited to those particularembodiments illustrated in the figures and described in connectiontherewith.

Turning back to the illustrative example shown in FIG. 1, the drag anddrop operation of the representation 118 of the authentication object tothe area 116 for authentication causes the browser application 102 tosend the corresponding authentication object to the service provider106. The service provider, as discussed in more detail below, may verifyinformation contained in the authentication object corresponding to therepresentation 118 and provide access for which presentation of theauthentication object corresponding to the representation 118 issufficient.

As with all specific embodiments illustrated and discussed herein,variations are considered as being within the scope of the presentdisclosure. For example, the figures extensively provide examples whererepresentations of authentication objects are graphical representations.Representations may be provided in other forms in accordance withvarious embodiments. For example, a user interface may provide an audiorepresentation of an authentication object where the audiorepresentation may comprise one or more sounds usable to identify acorresponding authentication object. As another example, a tactileinterface may provide a tactile representation of an authenticationobject where tactile features of the representation are usable todistinguish the authentication object from other tactile representationsof other authentication objects. Generally, any way by which aninterface may utilize one or more senses of a user to distinguishrepresentations of authentication objects from each other may be used.Generally, a representation of an authentication object may invoke oneor more senses of the user. Other variations are also considered asbeing within the scope of the present disclosure.

In various embodiments of the present disclosure, access to thefunctions of an authentication object manager is subject torestrictions. For example, in some embodiments, an authentication objectmanager is configured to not provide access to authentication objectsunless valid credentials have been presented to the authenticationobject manager or until a user has otherwise provided proof to theauthentication object manager that the user has the requisitecredentials and/or otherwise satisfies one or more requirementsprogrammed into the authentication object manager. FIG. 2, accordingly,shows an illustrative example of a diagram 200 illustrating variousaspects of the present disclosure whereby access to an authenticationobject manager is restricted. In the diagram 200, a browser application202 is presented, which may be the same browser application as discussedabove in connection in FIG. 1. Further, as with all techniques describedherein, the techniques while described in connection with a browserapplication are applicable to other applications. In the example of FIG.2, the browser application 202 displays a web page 204 on which anauthentication object manager 208 is superimposed, such as describedabove. The authentication object manager may provide access toauthentication objects through representations 210 and 214 of theauthentication objects. As described above in connection with FIG. 1, arepresentation of an authentication object may be selected and indicatedfor use in authentication through a drag and drop operation from theauthentication object manager 208 to an area 216 of the display forauthentication.

In various embodiments, as noted, access to authentication objectsmanaged by the authentication object manager 208 requires thepresentation of credentials such as a username and password for theauthentication object manager 208. FIG. 2, accordingly, shows anillustrative example of an interface 218 that allows for the input ofcredentials for providing access to functionality of the authenticationobject manager 208. The example interface 218 may appear in various waysin accordance with various embodiments. In some embodiments, forexample, the interface 218 may appear instead of the authenticationobject manager 208 in the display of the browser application 202. Asanother example, the interface 218 may be part of a login screen to theauthentication object manager presented separately from the browser 202.In yet another example, the interface 218 may be part of a login screenof an operating system where successful authentication (i.e.,presentation of valid credentials) is a requirement for access not onlyto the authentication object manager, but to other applications. Theinterface 218 may be a component of a browser plug-in application or anapplication separate from the browser. In another example, the interface218 may be provided by a website provided remotely from the device onwhich the interface 218 is displayed. The website may be, for example, acomponent of a system that manages authentication objects remotely forusers as a service. Other variations are also considered as being withinthe scope of the present disclosure.

In this example illustrated in FIG. 2, as noted, the interface 218 isconfigured to enable the input of credentials sufficient for access tofunctionality of the authentication object manager 208. In this example,the interface 218 includes a username field 220 and a password field 222which, in this example, are graphical user interface elements thatenable a user to enter (e.g., via a virtual or physical keyboard)alphanumeric input corresponding to respectively a username andpassword. As with all embodiments described herein, variations thatutilize different credentials or additional credentials are alsoconsidered as being within the scope of the present disclosure. Theinterface 218 may be displayed on a mobile device 212 or other deviceseparate from the computing device executing the browser application202. The mobile device 212 may provide additional authenticationinformation to the authentication object manager 208 or other entity.For example, the mobile device 212 may provide credential information ina two factor authentication operation.

In an embodiment, the authentication object manager 208 is configured toprovide access to authentication objects represented by therepresentations of the authentication objects 210 and 214 only aftervalid credentials have been input using the interface 218. Thus, oncethe interface 218 has been used by the user to provide validcredentials, the user may utilize the authentication object manager 208to select a representation of an authentication object and indicate thatthe selected representation should be used for authentication. In thisparticular example, the authentication object manager 208 is configuredto provide the user an ability to select a representation of anauthentication object usable to access functionality of a website ofwhich the web page 204 is a part. Accordingly, having selected arepresentation of an authentication object corresponding to validcredentials for the website, a system providing the website may enableaccess to another web page 224 of the website through which thefunctionality is accessible. For instance, the web page 224 illustratedin FIG. 2 includes user interface elements (buttons, in this example)which are selectable to obtain account specific information that wouldotherwise not be accessible had valid credentials not been providedeither through the authentication object manager 208 or otherwise suchas through manual entry of a username and password in appropriate fieldsfor the website.

Information provided to the system that provides the website may alsoinclude additional information, much of which is described below withmore detail. For example, the authentication object manager 208 mayutilize information from a trusted platform module 232 of the computingdevice on which the browser application 202 executes or the mobiledevice 221. The trusted platform module 232 may, for example, provide anattestation to the state of the computing environment in which thebrowser application 202 executes or the state of the computingenvironment associated with the mobile device 212. Other information,such as additional credential information, may be utilized by theauthentication object manager 208. In some embodiments, proof ofpossession by the user of an item for which possession by the user isnecessary according to at least one mode of authentication with theservice provider. Such proof, for instance, may comprise a one-timepassword (OTP) obtained from a one-time password token, which may be aseparate device from the computer device on which the browserapplication 202 executes or which may be integrated into the computingdevice. Other information, such as a personal identification number(PIN), other personal identifying information (e.g., demographicinformation), and, generally, additional information input by a user orotherwise obtained to increase security and prevent unauthorized use ofan authentication object manager to authenticate using authenticationobjects may be used.

In various examples described herein, users are described as providingauthentication objects to service providers for verification thereby.However, numerous variations are considered as being within the scope ofthe present disclosure. FIG. 3, for example, shows an illustrativeexample of an environment 300 in which an authentication object isverified not by the service provider for which access is desired by auser, but by another entity. That is, a computer system managed byanother entity. In an embodiment, the environment 300 includes a userdevice 302, a service provider 304 and an identity provider 306. Theuser device 302 is illustrated in FIG. 3 as a notebook computer,although the user device may be any device such as described elsewhereherein. The service provider 304 may comprise a collection of computingdevices, collectively configured to provide a service to one or moreusers through corresponding devices used by the users. The serviceprovider 304 may, for instance, provide a website or a backend systemsupporting a mobile or other application executing on the user device.The identity provider 306 may be a computer system comprising acollection of computing devices collectively configured to manageauthentication for a set of service providers including the serviceprovider 304. The identity provider 306 may, for example, be an entitythat operates its own services such as social networking services, anelectronic commerce website, its own other type of website and/or otherservices.

In an embodiment as illustrated in FIG. 3, the user device 302 providesan authentication object 308 to the service provider 304 for the purposeof authenticating with the service provider 304 and gaining access toservices for which authentication is required. The authentication object308 may be provided, for example, as a result of user input provided tothe user device 302 by a user of the user device 302. In anotherexample, the authentication object 308 may be provided by a mobiledevice 312. Alternatively, the mobile device 312 may provide theauthentication object 308 directly to the service provider 304. Invarious embodiments, the service provider 304 detects an attemptedaccess, by the user device 302, services for which authentication isrequired, the service provider 304 may then request, from the mobiledevice 312, the authentication object 308 for the purpose ofauthenticating the user device 302 with the service provider 304. Theuser may, for example, utilize a graphical user interface or otherinterface such as described above to select the authentication object.Instead of verifying the authentication object 308 itself, the serviceprovider 304 may transmit the authentication object 308 or informationderived therefrom to the identity provider 306. The identity provider306 may process the authentication object 308, such as bycryptographically verifying the authentication object 308 anddetermining whether credentials and/or other information provided in theauthentication object 308 are valid or otherwise satisfy one or moreconditions for authentication.

The identity provider 306 may make an authentication decision determinedbased at least in part on the authentication object 308 and generate anauthentication response which, in an embodiment, is a communication orcollection of communications that indicate whether authentication wassuccessful (e.g., whether the information contained within theauthentication object was sufficient for authentication). The generatedauthentication response may then be provided from the identity provider306 to the service provider 304. If the authentication response from theidentity provider 306 indicates that authentication was successful, theservice provider 304 may allow the user device 302 to access services(e.g., website functionality) for which authentication was required.

Similarly, if the authentication response indicates that authenticationwas not successful, or if the service provider 304 does not receive anauthentication response, the service provider 304 may continue torestrict access to services for which authentication is required,although access to other services such as browsing portions of a websitemay remain to be permitted.

In this manner, a user of the user device 302 is able to utilizeauthentication objects despite a service provider 304 not being able toprocess the particular authentication objects being used. Similarly, theservice provider 304 may utilize the services of another provider tomanage authentication to avoid having to manage authentication itself,or to expand the number of users that are able to access the serviceprovider's site by enabling users to utilize authentication services ofanother provider.

As with all embodiments described herein, variations are considered asbeing within the scope of the present disclosure. For example, in FIG. 3a flow of information is illustrated, where an authentication object istransmitted to the service provider 304 from the user device 302, andwhere the service provider 304 passes the authentication object 308 tothe identity provider 306 for verification. Variations includeembodiments where the user device 302 provides the authentication object308 directly to the identity provider 306, instead of through theservice provider 304. For example, a portion of a web-page provided bythe service provider 304 may be configured such that a request toauthenticate is transmitted by the user device 302 to a network addressof the identity provider 306, instead of a network address of theservice provider 304. A portion of the web-page may, for example, useframing techniques to frame a portion of content linked to the networkaddress of the identity provider 306.

The identity provider 306 may, upon successful verification of theauthentication object, provide cryptographically verifiable proof ofsuccessful authentication to the user device for use in provingsuccessful authentication with the service provider 304. For example,the proof may be encrypted using a public key of a public/private keypair for which the service provider 304 has access to the private key.As another example, the proof may be digitally signed by the identityprovider 306 using a private key of the identity provider such that theservice provider 304 can verify the digital signature using acorresponding public key. The user device 302 may provide the proof ofauthentication received from the identity provider 306 to the serviceprovider 304 in connection with requests submitted to the serviceprovider 304. The service provider 304 can cryptographically verify theproof and determine whether to provide access.

As noted, authentication objects may be configured in various ways inaccordance with various embodiments. FIG. 4, accordingly, shows anillustrative example of an authentication object and information thatmay be contained therein in accordance with various embodiments. Anauthentication object, in an embodiment, is a structured collection ofinformation forming an authentication claim sufficient forauthentication to one or more systems to which the authentication objectcorresponds. The authentication object may include authenticationinformation in a structured format utilizing, for example, a structuredmarkup language, such as extensible markup language (XML), JavaScriptobject notation (JSON), although other encodings of authenticationobjects are considered as being within the scope of the presentdisclosure. Generally, any way by which information may be encoded, in astructured or unstructured manner, may be used and the manner by whichinformation and authentication objects are encoded may vary inaccordance with the various systems to which the authentication objectsare submitted for authentication. One system, for example, may requireand/or treat as sufficient a first format, where a second system mayrequire and/or treat as sufficient a different format with differentinformation. Some systems may be configured with the ability to processunstructured information by determining if an authentication objectcontains information sufficient for authentication.

In the embodiment illustrated in FIG. 4, an authentication object 400includes one or more credentials sufficient for accessing a system towhich the authentication object corresponds. It should be noted that asingle authentication object may be usable for authentication withmultiple different systems which may be managed and operated bydifferent entities. In some examples, credentials 402 contained withinan authentication object 400 include long term alphanumeric credentials404 corresponding to an identity. Long term alphanumeric credentials maycomprise, for example, one or more of a username, password, electronicmail address, PIN, telephone number, physical mailing address, networkaddress, or other identifier or collection of identifiers thatcollectively uniquely map to an account of a system for which theauthentication object 400 is submittable. In some embodiments, insteadof a long-term credential being included directly in the authenticationobject 400, the authentication object 400 includes information generatedbased at least in part on one or more long term credentials, such as oneor more hash values of one or more long term credentials. Thus,regardless of whether the authentication object includes a long termcredential or information derived therefrom, the authentication object,in this example, has information based at least in part on the long termcredential. Long term credentials and information derived therefrom may,in some embodiments, may be included in the same authentication object.For example, an authentication object may include a username and a hashof a password. Credentials 402 of an authentication object 400 may alsoinclude biometric credentials 406. Example biometric credentialsinclude, but are not limited to, instances of information encoding oneor more fingerprints, one or more retinal scans, deoxyribonucleic acid(DNA), a human voice, an image of a face, typing cadence and others.Biometric credentials 406 generally may comprise information suitablefor use in a biometric authentication system. The information may, forexample, be an optical and/or capacitance scan of one or morefingerprints or information obtained by processing a scan of one or morefingerprints. Similarly, an image of a face or information obtained fromprocessing an image of a face may be used. Generally, the type ofbiometric information and the manner in which it is included in theauthentication object may depend from the capabilities of the system towhich the authentication object is submittable.

In an embodiment an authentication object 400 includes one or moreshort-term credentials 408. A short-term credential may be a credentialthat, due to a limited lifetime, is required to be presented to anauthentication object manager within a limited amount of time beforegeneration of the authentication object 400. Upon selection of arepresentation of the authentication object 400, for example, anauthentication object manager may obtain the one or more short-termcredentials 408 for inclusion in the authentication object 400. Asdiscussed above, example short-term credentials include an OTP codeobtained from an OTP token such as described above. Example OTP tokensinclude token devices produced by the EMC Corporation (e.g., RSA SecurIDtokens) and tokens produced by Gemalto NV. OTP tokens may also beintegrated into a device that provides authentication objects, such as auser computing device and information may be obtained therefromaccordingly. Another example of a short-term credential is acryptographically verifiable time stamp from a time server. Generally, ashort-term credential may be any credential valid for an amount of timedetermined as short and, as a result, the use of short term credentialsadds an additional layer of security in that the amount of time acompromised short-term credential is valid is limited, therebypreventing security breaches and/or the effects of security breaches.

In various embodiments, an authentication object 400 includes one ormore attestations. The one or more attestations may be attestations tovarious facts which are required to be true for authentication using theauthentication object 400 to be successful. As an example, anauthentication object 400 may include a computing environmentattestation 410 attesting to the integrity of the computing environmentand/or the integrity of one or more components of the computingenvironment. An attestation to a computing environment may includeinformation encoding the state of one or more components associated withan authentication object manager that manages the authentication object400. For example, the computing environment attestation 410 may indicatethat the computing device on which the authentication object manageroperates has a particular serial number or other identifier, isconnected to a particular network, that the computing device hasparticular anti-virus software running, that the anti-virus software hasbeen updated within some time defined as recent and/or has received anupdate with a specified identifier, that an operating system on whichthe authentication object manager operates has received a particularsoftware patch, that executable code of the authentication objectmanager or other executable code has been unmodified (or, generally,that the executable code is in an approved state), that the device onwhich the authentication object manager operates has one or morerequired security features (e.g., remote wipe) enabled and/or otherinformation about the computing environment in which the authenticationobject manager operates. In some examples, the computing environmentattestation 410 in an authentication object 400 includes informationabout other devices different from the device that presented and/orgenerated the authentication object 400. For instance, in someembodiments, multi-factor authentication requires cryptographicallyverifiable information from two or more separate authentication objectmanagers, each operating on a different device (e.g., a user's personalcomputer and the user's mobile device where both have been registered tothe owner in a system that verifies authentication objects).Accordingly, the computing environment attestation may includecryptographically verifiable information from multiple authenticationobject managers to enable authentication determinations.

As illustrated in FIG. 4, an authentication object 400 may also includesensor data attestation 412. Sensor data attestation may be anattestation to measurements made by one or more sensors of a computingdevice on which the authentication object manager is operating orgenerally any device which may be a different device for which theauthentication object manager can verify sensor measurements. As anillustrative example, to be sufficient for authentication, anauthentication object 400 may be required to contain an attestation thatan accelerometer of a computing device measured a certain amount ofactivity within a specified time period, such as the previous six hoursmeasured from a point of time in a process involved for generation ofthe authentication object 400 or since a particular time reference(e.g., 7:00 AM PST). Such an attestation may be useful, for example, asdiscussed in more detail below for children to prove, usingauthentication objects, to parents or other authorities that they haveengaged in a particular amount of physical activity prior to engaging inanother activity considered sedentary, such as watching television,playing electronic games or otherwise interacting with a system (e.g.,set top box, media player and/or gaming console) that may utilizeauthentication objects as an access control mechanism.

Other data included in the sensor data attestation may be an attestationthat a computing device is within a certain geo-fenced area asdetermined by a global positioning service sensor of the computingdevice. As an example, a system that processes an authentication objectmay verify attested global positioning service (GPS) data to verify thatthe authentication object was submitted from a device that is withinspecified distance of a reference location, which may be a staticreference location or which may be determined by, for instance, a GPSsensor of another device. The location may, of course, be determined inother manners. For example, the computing device may receivecoarse-grained location data using a location service. Both Wi-Fihotspots and cell towers can be used to approximate a location of thecomputing device. When the location service is polled, the IDs of theWi-Fi hotspots and cell towers in the area are sent to the locationservice, which includes a database storing location information on Wi-Fihotspots and cell towers. The location service returns an approximatelocation (e.g., latitude and longitude) of the computing device based onthe MAC address of the Wi-Fi hotspot. It should be noted that theaccuracy of the location data may be between 100 m-500 m using Wi-Fihotspots and greater than 500 m using cell towers. In contrast, theaccuracy of GPS location data may be between 2 m-20 m. Generally, anysensor included in the device may be used and sensor data attestation412 may include information based, at least in part, on measurementsfrom any of the sensors. The computing environment attestation 410 andsensor data attestation 412 may be obtained from a second computingdevice such as a mobile device described below in connection with FIG. 8and various other embodiments in accordance with the present disclosure.For example, the computing environment attestation 410 and sensor dataattestation 412 may be included in authentication informationtransmitted from a user mobile device to the computing deviceresponsible for generating the authentication object 400, as describedabove in connection with FIG. 1.

The manner in which attestations are provided in an authenticationobject may vary in accordance with various embodiments. For example, insome embodiments, attestations comprise expressions indicting thatparticular conditions are true, such as that a sensor has measured acertain amount of activity or that a GPS data indicates a locationwithin an area defined as suitable. Attestations with such expressionsmay lack the actual measurements. In other embodiments, an attestationmay include data that is measured for the attestation which is thenprocessed by a system that processes the authentication object. In thismanner, the attestation is an attestation that data is accurate andwhether the data satisfies conditions required for authentication orotherwise is determined by another system to which the authenticationobject 400 is submitted. Computing environment attestations may be usedin connection with sensor attestations to enable verification that, forinstance, executable code of an application (e.g., authentication objectmanager or other application) correctly and accurately calculates thatthe conditions are true and/or correctly and accurately provides sensordata. In other words, computing environment attestations may be used toprove that executable code that causes a computer system to providesensor data, provide conclusions determined based at least in part onsensor data and/or provide other information is unmodified and,therefore, can be trusted.

It should be noted that the authentication object 400 may include some(but not all) or all types of data illustrated in FIG. 4. In addition,an authentication object may include additional data not discussed herein and/or not illustrated in FIG. 4. Generally, the types of dataincluded in an authentication object may vary widely in accordance withvarious embodiments and with the various systems that may utilizeauthentication objects for authentication. Further, while FIG. 4 and theaccompanying description use various types of information included in anauthentication object for the purpose of illustration, in variousembodiments, an authentication object may lack some or all of theexample information but rather contain a verifiable (e.g.,cryptographically verifiable) attestation that various conditionsregarding an identity and/or a computing environment are satisfied. Suchan attestation may, for example, include a digital signature ofexecutable code of one or more applications configured to verify theconditions. Other variations are also considered as being within thescope of the present disclosure. The applications may be executed on adevice of the user on behalf of which the authentication object ispresented or another device.

In some embodiments, authentication objects may encode one or morepolicies. A policy encoded in an authentication object may specify oneor more limitations on use of the authentication object and/or one ormore permitted uses of the authentication object. Policies encoded inauthentication objects may be used, for example, in embodiments whereauthentication objects are used to delegate access rights to others,such as described in more detail below. Further, one or more policiesmay be transmitted (e.g., by a system requiring authentication) to anauthentication object manager. The authentication object manager maydetermine whether an authenticating device complies with the policy and,if applicable, include in authentication object a cryptographicallyverifiable or other attestation that the device complies with thepolicy. An attestation to the executable code of the authenticationobject manager and/or a digital signature of the policy may also beincluded to ensure that the attestation regarding compliance with policyis accurate. Policies used in such embodiments may specify conditions onone or more security features, such as certain security features beingenabled. Example security features include the ability to perform remotedata destruction, data destruction after a number of incorrect passcodeentry attempts, and/or others.

As illustrated by the lock symbol in FIG. 4, in an embodiment, anauthentication object 400 is generated in a secure manner. For example,in an embodiment, an authentication object 400 is generated to becryptographically verifiable, such as described above. For example, theauthentication object 400 or a portion thereof may be encrypted so as tobe decryptable by a system to which the authentication object 400 ispresented. For example, in an embodiment the authentication object 400or a portion thereof is encrypted using a public key of a public/privatekey pair where the private key of the public/private key pair issecurely maintained by a system that analyzes the authentication object400 for verification. The authentication object may be encrypted by thepublic key itself or in other ways utilizing the public key. Forexample, a symmetric cryptographic key may be generated and used toencrypt the authentication object 400 and the public key may be used toencrypt the symmetric key. The encrypted symmetric key may be providedas part of the authentication object 400 so that a system that processesthe authentication object 400 for the purpose of making authenticationdecisions may use its copy of the private key corresponding to thepublic key to decrypt the symmetric key and then use the symmetric keyto decrypt the authentication object. Other variations, includingencryption of the authentication object 400 using a symmetriccryptographic key maintained as a secret shared between the system thatencrypted the authentication object 400 and a system to which theauthentication object is presented for verification are also consideredas being within the scope of the present disclosure. Further, variousembodiments may utilize different layers of encryption and theverification of an authentication object may be performed by adistributed system having multiple components, each of which is able toaccess some, but not necessarily all, information in the authenticationobject through decryption.

As discussed above, the authentication object 400 may becryptographically verifiable in other ways, such as with the use ofdigital signatures. Some or all of the authentication object 400 may bedigitally signed using a key such that a digital signature of theauthentication object 400 is verifiable by a system that processes theauthentication object for making authentication decisions. In oneexample, some or all of the authentication object 400 may be digitallysigned using a private key of a public/private key pair. A certificatecorresponding to the private key may be provided as part of, orotherwise with, the authentication object 400 so that a systemprocessing the authentication object 400, for the purpose of makingauthentication decisions, may utilize a public key corresponding to theprivate key and may communicate with a certificate authority to verifythe authenticity of the certificate provided. Other variations,including variations in which symmetric cryptographic keys sharedbetween an authentication object manager or otherwise with a computingdevice on which the authentication object manager operates and thesystem that verifies authentication objects may be used to encryptand/or digitally sign some or all of the authentication object 400.

Other variations include variations where different parts of theauthentication object 400 are encrypted and/or digitally signed usingdifferent keys than discussed above. As one example, as discussed inmore detail below, a cryptographic module, such as a TPM, may be used togenerate an attestation. The attestation may be digitally signed and/orencrypted by the TPM, utilizing a key securely stored within the TPM andinaccessible to the authentication object manager. A certificate usableto verify this signature may be provided with the authentication object400 in connection with an attestation. Other portions of theauthentication object 400 including or excluding the attestation and/orcertificate may be digitally signed and/or encrypted using a keyaccessible to the authentication object manager. Other variations arealso considered as being within the scope of the present disclosure.

Further, it should be noted that data obtained for the authenticationobject may be obtained by a computer system that generates theauthentication object at different times. For example, some long-termalphanumeric credentials 404 may be obtained well in advance ofgeneration of the authentication object 400, such as during aprovisioning process of a representation of the authentication object400. During such a process, the user, for example, may input into anauthentication object manager the long-term alphanumeric credentials404. Other information (long-term and/or short-term credentials, e.g.)may be obtained at different times such as in response to an indicationthat an authentication object corresponding to a selected representationof the authentication object should be used for authentication. As anexample, once a representation of an authentication object is selectedfor authentication, a graphical user interface may prompt for the inputof biometric credentials (e.g., a scan of a biometric trait), a PIN, anOTP code or other information. An authentication object may includeinformation obtained at different times.

Other variations include variations where authentication objects areperiodically or aperiodically updated by a background process such thatan authentication object that is recent enough to be sufficient for usein authentication is available upon selection of a correspondingrepresentation of the authentication object. The background process may,for example, detect that a stored authentication object or storedinformation for an authentication object has expired and, as a result,may obtain or prompt to obtain fresh information which may then bestored and/or used to generate an authentication object that is storedfor future use.

The techniques by which authentication objects are usable may vary inaccordance with the devices on which an authentication object manageroperates or on the device connected to the service provider requiringauthentication. FIG. 5, for example, shows an illustrative example ofenvironment 500 of an embodiment enabling use of authentication objectsin two factor authentication schemas. An authentication manager mayoperate on a second device separate from a first device with anapplication used to gain access (e.g., to a service provider system).The second device may include a mobile device 512 and the first devicemay include a display device 530, both described in detail below. Byselection of a valid authentication object using an interface of thesecond device, access may become available using the first device. Suchfunctionality may be achieved in various ways, such as by transmissionof the authentication object from the second device to the first deviceover a short-range or other communication channel, thereby enabling thefirst device to submit the authentication object for authentication,possibly without user input to the first device by the user. Theshort-range communication channel may be established using varioustechnologies, such as induction wireless, infrared wireless (such astechnologies operating according to specifications and protocolsprovided by the Infrared Data Association, or IrDA) or ultra widebandformats. In some embodiments, the first and second devices may utilizeshort-range, low-power and high-frequency radio transmissions, such asBluetooth®. In still other embodiments, the first and second devices maysupport acoustic-based data transfer. For example, the second device mayinclude software components and a speaker that enable the second deviceto broadcast data to the first device as sound waves, while the firstdevice may include software components and microphone that enable thesecond device to receive the data embedded in the sound waves. Thus, oneor more of radio signal-based data transfer (e.g., near fieldcommunication (NFC) or Bluetooth®), light-based data transfer (e.g.,infrared data transfer), an acoustic-based data transfer (e.g., soundwave-embedded data), or magnetic field-based transfer (e.g., readingdata from a magnetic stripe) may be used for inter-device communication.The protocols and components for enabling computing devices to performthe systems and methods of the present disclosure using such means forinter-device communication are well known to those skilled in the art ofcomputer communications and thus, need not be described in more detailherein. Generally, embodiments described herein are not limited to thoseexplicitly illustrated herein. Furthermore, the second device may beconfigured to transmit the authentication object directly to the serviceprovider or identity provider, as described above in FIG. 3, with orwithout first transmitting the authentication object to the firstdevice. In such embodiments, an authentication object from the firstdevice and the second device may be required before the service providerenables access to the first device.

The mobile device 512 may be operating in accordance with acorresponding operating system such as a version of an Android operatingsystem, a Windows® phone operating system or an Apple® iOS operatingsystem, although the techniques of the present disclosure are notlimited to those operating systems discussed explicitly herein. Themobile device 512 may be the computing device described below inconnection with FIG. 9, or may be a computing device incorporatingcomponents of the device described above in connection with FIG. 9. Forexample, the mobile device may be a smartphone or table computingdevice, although the techniques described in connection with FIG. 5 arenot limited to such devices.

The display device 530, which displays a user interface 502 may enable auser to perform various operations. The display device may be, forexample, a computer monitor of a notebook or personal computer, adisplay of a mobile device, a display of a tablet computing device orotherwise a display of a computing device. In an embodiment, the userinterface 502 is provided by an operating system of a computing devicecausing the user interface 502 to be displayed. In the particularexample illustrated in FIG. 5, a display of a browser application 504 isdisplayed on the user interface 502. The browser application 504 may be,for example, as described above. In this particular example, the browserapplication 504 provides a purchase screen 506 from a web page fordisplay enabling the user to purchase the product 510 shown and select ashipping address from a drop down menu.

The purchase screen 506 may be presented, for example, to enable a userto purchase one or more products 510 or services of a service providerthat provides the web page 504 as part of a website. In someembodiments, the user may be able to add a new shipping address 508 aspart of purchasing a product or service of the service provider. Forvarious security reasons the service provider may require strongerauthentication when performing various operations such as adding a newshipping address 508. Various other operations may require strongerauthentication and/or may require varying levels of authentication. Forexample, adding a shipping address may require two factor authenticationwherein the second device (e.g., the mobile device 512) provides anauthentication object including a hash of the user's user name andpassword. However, an operation requiring the transfer of money from theuser's account with the service provider to a third party require twofactor authentication wherein the second device provides anauthentication object including additional information such asinformation obtained by one or more sensors of the second device asdescribed below in connection with FIG. 8.

In various embodiments, the authentication object manager applicationmay be executing as a background process of the computer systemconnected to display device 530 with little or no display indicative ofthe authentication object manager process. The authentication objectmanager may determine one or more operations the user is attempting toperform that require two factor authentication. The authenticationobject manager may then cause the computer system to transmit anauthentication request to the mobile device 512 executing a secondauthentication object manager. In some embodiments, the mobile device512 may be registered with the service provider as a two factorauthentication device configured to provide additional and/or strongerauthentication. In yet other embodiments, the computing device detectsthe presences of the mobile device 512 and determines the mobile deviceis capable of providing additional and/or stronger authentication basedat least in part on one or more attributes of the mobile device 512,such as one or more sensors included in the mobile device 512.

As illustrated in FIG. 5, one or more operation performed by the user onthe computing device may cause a display to prompt for credentials onthe mobile device 512. Accordingly, as illustrated in FIG. 5, one stateof the display of the mobile device 1400 may include an authenticationscreen 516. The authentication screen 516 may, for example, include oneor more representations of available authentication objects usable forauthentication in various contexts, such as two factor authenticationdescribed above. In this example, three authentication objects 518, 520and 522 are displayed, although there may be greater than three or lessthan three representations displayed or otherwise available forselection. It should be noted that, as with other embodiments describedherein, the authentication objects may appear differently thanillustrated in the drawings. For example, a representation of anauthentication object may include a logo and/or textual identifier ofthe service provider (or multiple service providers) for which theauthentication object is usable.

In this example, a user may select an authentication object by tappingon the display in an area corresponding to a correspondingrepresentation of the authentication object. In this example, a usertaps a first authentication object 518. Other ways of selecting arepresentation of an authentication object may be used. For example, thedisplay of the mobile device 512 may have a visual indicator (e.g.,graphic) of an object for receiving representations of authenticationobjects (e.g., a graphic of a coin slot or key hole) and a drag and dropoperation into the visual indicator may be used for selection of therepresentation in some embodiments. Generally, any way by which userinput to the mobile device 512 can indicate selection of arepresentation of an authentication object is considered as being withinthe scope of the present disclosure.

As a result of selection of the representation 418 of the authenticationobject, the authentication object corresponding to the representation518 may be submitted to a system for which the authentication screen 516prompted for credentials. The authentication object manager may, forexample, cause an application whose display corresponds to theauthentication screen 516 to submit the authentication object to anothersystem for verification. However, as noted above, the authenticationobject manager may submit the authentication object itself. As a resultof the authentication object having been submitted and also being valid,a display of the mobile device 512 may change to show a display enablingaccess for which authentication was required and for whichauthentication was provided by submission of the authentication object.The display device 530 may also change to show a display enabling accessfor which authentication was required. In various embodiments, thedisplay device 530 and/or the mobile device 512 may display aconfirmation indicating that the operation attempted by the user hascompleted successfully. For example, the display device 530 may displayan indication to the user that the operation of adding the shippingaddress, as illustrated in FIG. 5, may proceed as a result of theauthentication object submitted by the mobile device 512 being valid.

As with other illustrative examples shown herein, variations areconsidered as being within the scope of this present disclosure. Forinstance, in some embodiments, the authentication object generated inaccordance with various techniques described herein is formatted so thatthe authentication object, from the perspective of programming logic ofa system verifying the authentication object, is indistinguishable fromauthentication objects submitted in conventional manners (e.g.,authentication objects transmitted upon user input of a username andpassword and an indication to submit the username and password). Forinstance, an authentication object may be transmitted with the sameinformation and with the same formatting regardless of whether theauthentication object was transmitted due to conventional techniques ortechniques described herein. Any distinguishable differences in theauthentication objects (e.g., information identifying a technique usedto cause transmission of the authentication object) may be included soas to not affect the programming logic of a server that verifiesauthentication objects. In this manner, an authentication object managerand, generally, techniques described herein are usable withoutmodification to servers that verify authentication objects.

In addition, as discussed above, authentication for the authenticationobject manager may also be required before authentication objects aremade available. Accordingly, a screen may require input of credentialsto the authentication object manager before enabling selection fromrepresentations of authentication objects. Other operations may serve assufficient authentication for the authentication object manager. Forexample, entry of a PIN to unlock the mobile device 512 may besufficient to enable access to authentication objects through theauthentication object manager. Authentication for access to theauthentication manager may take place in various ways, which may beuser-configurable through one or more settings screens and which mayvary in accordance with device capabilities. For example, in someembodiments, a fingerprint scan or image of the user may suffice. Inother embodiments, a short-range communication with another device(e.g., card with RFID chip) may enable access to the authenticationobject manager. In yet other embodiments, manual entry of credentialsmay be used. Other variations are also considered as being within thescope of the present disclosure.

FIG. 6 illustrates a messaging diagram 600 where one or more computersystems running within a computing resource service provider environmentas well as outside a computing resource service provider environment, aswell as the associated code running thereon, may, in response to arequest, require two factor authentication in order to complete one ormore operations. A first device 602 may connect to a service provider604 and may initiate connection with and/or interaction with one or moreapplications running on a server of the service provider 604. The firstdevice may be a computing device as described above and may execute abrowser application 608 configured to enable access to one or morerestricted resources of the service provider 604. Access to at least aportion of the one or more restricted resources of the service provider604 may require additional authentication such as two factorauthentication. Furthermore, operation performed or attempted to beperformed by a user may require additional authentication. The seconddevice 606 may provide additional authentication information and/or maybe used to perform a two factor authentication operation. The seconddevice may include, for example, the mobile device described above inconnection with FIG. 5.

As illustrated in FIGS. 6A and 6B, the user may attempt to perform anaction using a browser application 608 executed by the first computingdevice 602. The attempted operation by the user may cause the firstcomputing device 602 to transmit a request to perform the operation 610to the service provider 604. For example, the user may attempt totransfer a sum of money from a user account managed by the serviceprovider 604 to a third party using web browser 608. The serviceprovider 604 may be configured such that transfers of money to any thirdparty using a website operated by the service provider 604 requires twofactor authentication. The service provider may determine that otheroperations may require additional authentication, for example, requestsreceived from an unknown and/or untrusted IP addresses may requireadditional authentication. The service provider 604 may maintain a setof rules or define heuristic configured to enable the service provider604 to determine whether to require additional authentication and thestrength on the authentication required. For example, an operationrequiring the transfer of money may require authentication up to a fullregistration operation in order to be complete. The registrationoperation may include a set of operations required to be performed bythe user using one or more user devices in order to authenticate theuser to the service provider 604. For example, the registrationoperation may include setting a user name and password, providing afingerprint scan, capturing information suitable for facial recognition.After which authentication of the user may require one or more of theoperations performed during the registration operation.

Once the service provider 604 has determined that additionalauthentication is required, the service provider may return in responseto the request to perform the operation 610 a response indicating thatadditional authentication is required 612. The response may includeinformation indicating the second device 606 capable of providingadditional authentication information. In various embodiments, theresponse indicates one or more sensors or types of sensors or otherattributes of a computing device suitable for providing the additionalauthentication information, the first device 602 then determines asecond device meeting the requirements indicated in the response. Thefirst device 602 may then transmit a request for the additionalauthentication information 614 to the second device 606. The request maybe transmitted using NFC as described above. Furthermore, the requestmay indicate a particular type of authentication information required.For example, the request may indicate that a user name and password arerequired. In various embodiments, the request may be received directlyfrom the service provider 604 or other entity requiring the additionalauthentication information.

The second device 606 may prompt the user for authenticationinformation. As illustrated in FIG. 6, the prompt may be configured togenerate authentication information suitable for confirming the useraction performed on the first computing device 602. The additionalauthentication information may include an authentication object asdescribed above. Various techniques described herein may be used toenable the authentication manager executed by the second device 606 toreceive a user selection of an authentication object and configure theauthentication object for use as the additional authenticationinformation. The second device 606 may then transmit a response to thefirst device including the authentication information 616.

Turning to FIG. 6B, in various embodiments, the second device 606transmits the authentication object directly to the service provider orother system delegated by the service provider to receive theauthentication object. The second device 606 may transmit theauthentication object or other authentication information to the serviceprovider 604 and the service provider may transmit an indication to thefirst user device 602 indicating a result of verifying, by the serviceprovider. Returning to FIG. 6A, the first device may receive theauthentication object and provide the authentication object in response618 to the service provider 604. The service provider may determine thereceived authentication object is valid and enable the first device 602access if the authentication object is valid. Furthermore, the firstdevice 602 may modify the authentication object received from the seconddevice 606 before transmitting the authentication object to the serviceprovider 604 for verification.

FIG. 7 shows an illustrative example of a process 700, which may be usedto perform a two factor authentication operation where at least onedevice executes an authentication object manager in accordance withvarious embodiments. The process may be performed by any suitablesystem, such as by a user device described above, or generally, anydevice that implements an authentication object manager. In anembodiment, the process 700 includes detecting user input indicating anintent to perform an operation using a first device 702. A userinterface of the first device, for example, may have been used by a userto select a representation of an operation or portion of an operationthe user is attempting to perform. Detecting the user input may includetransmitting information from the first device to the service provider.The first device and/or the service provider may then determine theoperation attempted to be performed by the user requires additionalauthentication information 704. As described above, the determinationthat the operation requires additional authentication information may bebased at least in part on a set of rules.

The first device may then cause a prompt to be displayed to the user ona second device 706. In various embodiments, the service provider maydirectly cause the prompt to be displayed to the user. The second devicemay be registered with the service provider or may be registered withthe authentication object manager executed by the first device. Theprompt may be caused to be displayed by an authentication object managerexecuted by the second device. The prompt may include a notification orother icon to be displayed on the second device, the notification onceselected may cause a user interface of the second device to display oneor more authentication objects selectable by the user and configured toprovide the additional authentication information. Once the user hasselected the appropriate authentication object, the second device maytransmit the authentication object to the first device and/or theservice provider. In various embodiments, the second device may obtainadditional information not prompted to the user. For example, the seconddevice may obtain one or more attributes of the environment the seconddevice is in, such as GPS coordinates, local network attributes,accelerometer data and other information collected suitable forauthentication.

Returning to process 700, the first device may receive theauthentication object from the second device 708. The first device maythen modify or convert the authentication object to a format usable bythe service provider. The authentication object may then be provided tothe service provider 710. The authentication object may be provided overthe same or a different connection used to transmit the user requestindicating the operation attempted by the user. Once received by theservice provider, the service provider may then determine if theauthentication object is valid 712. If the authentication object is notvalid the service provider may deny the request access 714. For example,the service provider may prevent the execution and/or completion of theoperation attempted by the user. The operations attempted by the usermay include attempts to access one or more restricted computingresources of the service provider. If the authentication object is validthe service provider may enable access on the first device, the accessmay be configured to enable the first device to complete the operationattempted to be performed by the user.

As noted above, the authentication object manager may collectinformation corresponding to the environment using one or more sensorsincluded in the user device executing the authentication object manager.FIG. 8, for example, shows an illustrative example environment 800 of anembodiment enabling use of one or more sensors to collect informationusable in authentication by the authentication object manager.Environment 800 may include a mobile device 812, the mobile device 812may be the computing device described below in connection with FIG. 9,or may be a computing device incorporating components of the devicedescribed above in connection with FIG. 9. For example, the mobiledevice may be a smartphone or tablet computing device, although thetechniques described in connection with FIG. 8 are not limited to suchdevices. Furthermore, the mobile device 812 may include one or morecameras 832, the cameras 832 may include a flash or other light emittingdevice such as a light emitting diode (LED). The cameras 832 may beconfigured to capture information during the execution of one or moreoperations utilizing the authentication object manager executed by themobile device 812.

In some embodiments, for example, the user may perform a drag and dropoperation of an authentication object 818 onto a web page 806 or adesignated area thereof displayed on a display device 830. The displaydevice 830 may be a device as described above in connection with FIG. 5configured to display information generated by a computer systemconnected to the display device 830. Returning to FIG. 8, as a result ofdragging the authentication object 818 to the web page 806, or anotherarea designated for authentication using authentication objects, one ormore operations may occur. In some embodiments, the username andpassword fields are populated to enable a user to select a buy button814 to submit the credentials to a system for verification. In otherembodiments, the effect of dragging the authentication object 818 intothe web page 806, or other area designated for authentication may causean authentication object corresponding to the authentication object 818to be submitted without the user having to select the buy button 814, orotherwise indicating (e.g. by pressing an enter key) a submission forauthentication. For example, the authentication object manager processmay submit the authentication object itself or may call a function ofthe browser application to cause the browser application to submit theauthentication object corresponding to the authentication object 818.

For example, as with other interfaces, instead of automatic submissionof an authentication object upon selection of a representation, otheroperations may occur. For example, upon selection of a representation ofan authentication object 818, the webpage 506 may appear with theusername field and password field populated to enable the user to selectthe buy button 814. Selection of the buy button 814 may cause submissionof the authentication object 818, which may encode the username and/orpassword and/or information derived from the username and/or password.In some embodiments, the information submitted upon selection of the buybutton 814 may be different depending on whether the user has manuallyentered credentials or has selected an authentication object. It shouldbe noted that, in some embodiments, the authentication object, whetherautomatically submitted or submitted as a result of submission of a“submit” or other user interface element may be formatted in variousways in various embodiments.

During the drag and drop operations described above the one or morecameras 832 on the mobile device 812 may capture the movement or otherinformation corresponding to the user and or environment in order to addadditional authentication information to the authentication object 818.For example, the cameras 832 may detect the user's hand or other objectused to complete the drag and drop operation. Furthermore, the cameras832 may enable detection of the motion of the user's hand obviating theneeds for the screen 816 of the mobile device 812 to be a touch screen.Furthermore, the placement of the authentication object on the screen816 of the mobile device 812 may be correlated with the location of theuser's hand based at least in part on information captured by thecameras 832. For example, the first time the mobile device is used toprovide additional authentication information the authentication object818 is in the upper left of the mobile device's 812 screen 816, the nexttime the mobile device 812 is used during authentication, theauthentication object 818 may be placed in the bottom right on themobile device's 812 screen 816. The cameras 832 may then be used todetermine location of the user's hand during each drag and dropoperation and correlated with the location of the authentication objectin order to provide stronger authentication. Furthermore, the drag anddrop operation or separate authentication process may require the userto drag the authentication object 818 through a particular pattern onthe screen 816 of the mobile device 802. The cameras 832 may then trackthe path taken by the user's finger to ensure that the user traced thecorrect path. If the mobile device 812 includes a touch screen, theinformation collected by the cameras 832 may be checked againstinformation collected by the touch screen. Similarly the user may berequired to draw their signature on the screen of the mobile device 812in order to provide additional authentication information.

The cameras 832 may also capture other information from the environmentsuch as the user's face or information displayed and/or outputted by themobile device 812 or display device 830. For example, the cameras 832may capture light emitted by the mobile device 812 or display device830. Furthermore, the service provider may indicate a particular patternof light, including light in a spectrum not visible to humans, to bedisplayed by the mobile device 812 or display device 830 and captured bythe cameras 832. For example, the authentication object manager executedby the mobile device 812 may cause an infrared LED included in themobile device 812 to display infrared light in a particular patternduring drag and drop operations. The cameras 832 may then capture thepattern of infrared light and include information corresponding to thecaptured pattern in the authentication object. In various embodiments, acomputing device other than the mobile device 812 may be responsible forcapturing the particular pattern of light. For example, the computingdevice and/or display device 830 may include one or more cameras, theone or more cameras may then capture the light emitted by the mobiledevice 812. The information captured by the one or more cameras may thenbe included in the authentication object received from the mobile device812 or transmitted to the service provider for authentication.

Furthermore, the cameras 832 may be used to capture information useableto detect movement of the authentication object 818, by the user, inthree dimensions. The mobile device 812 may also contain athree-dimensional display enabling users to interact with theauthentication object in various ways, such as picking up and droppingthe authentication object. The mobile device 812 may also performliveness detection to prevent against various attacks, such as aspoofing attack. For example, the mobile device 812 may turn off theblue image sensor of the cameras 832 and detect the heartbeat of theuser if the mobile device 812. The mobile device 812 may using thecameras 832 obtain information corresponding to the computingenvironment of the mobile device 812 and the display device 830, theinformation may include any information suitable for authentication theuser and/or the computing devices to the service provider. For example,the mobile device 812 may obtain an image of the user's face suitablefor facial recognition capable of authenticating the user. Furthermore,the mobile device 812 may provide the service provider with theauthentication object 818 capable of authentication the mobile device812 to the service provider.

FIG. 9 is an illustrative, simplified block diagram of an example devicesystem 900 that may be used to practice at least one embodiment of thepresent disclosure. In various embodiments, the device system 900 may beused to implement any of the systems illustrated herein and describedabove. For example, the device system 900 may be used to implement anauthentication object manager and other applications, such as a browserapplication, in accordance with various embodiments. As shown in FIG. 9,the device 900 may include one or more processors 902 that may beconfigured to communicate with and are operatively coupled to a numberof peripheral subsystems via a bus subsystem 904. These peripheralsubsystems may include a storage subsystem 906, comprising a memorysubsystem 908 and a file storage subsystem 910, one or more userinterface input devices 912, one or more user interface output devices914, a network interface subsystem 916, a cryptographic module 924,comprising a memory subsystem 930 and one or more cryptographicprocessors 932. The peripheral subsystems may also include one or moresensors 934 in addition to sensors of input devices 912. Such sensorsmay include, but are not limited to, GPS sensors, accelerometers,temperature sensors and others.

The bus subsystem 904 may provide a mechanism for enabling the variouscomponents and subsystems of device system 900 to communicate with eachother as intended. Although the bus subsystem 904 is shown schematicallyas a single bus, alternative embodiments of the bus subsystem mayutilize multiple busses.

The network interface subsystem 916 may provide an interface to otherdevice systems and networks. The network interface subsystem 916 mayserve as an interface for receiving data from and transmitting data toother systems from the device system 900. For example, the networkinterface subsystem 916 may enable transmission of authenticationobjects and other information, such as electronic requests to access asystem (e.g., receive a webpage) and may enable receipt of responses tothe requests, such as webpages or other information. The networkinterface subsystem 916 may also facilitate the receipt and/ortransmission of data on other networks, such as an organizationsintranet and/or other networks described below.

The user interface input devices 912 may include one or more buttons, akeyboard, keypad, pointing devices, such as an integrated mouse,trackball, touchpad, or graphics tablet, a scanner, a barcode scanner, afingerprint scanner, a retinal scanner, a touchscreen incorporated intoa display, audio input devices, such as voice recognition systems,microphones, fingerprint readers, retinal scanners and other types ofinput devices. Further, in some embodiments, input devices may includedevices usable to obtain information from other devices, such aslong-term or short-term credentials for use in generating anauthentication object, as described above. Input devices may include,for instance, magnetic or other card readers, one or more USBinterfaces, near field communications (NFC) devices/interfaces and otherdevices/interfaces usable to obtain data (e.g., long-term or short-termcredentials) from other devices. In general, use of the term “inputdevice” is intended to include all possible types of devices andmechanisms for inputting information to the device system 900.

User interface output devices 914, if any, may include a displaysubsystem, a printer or non-visual displays, such as audio and/ortactile output devices, etc. Generally, the output devices 914 mayinvoke one or more of any of the five senses of a user. The displaysubsystem may be a cathode ray tube (CRT), a flat-panel device, such asa liquid crystal display (LCD), light emitting diode (LED) display, or aprojection or other display device. In general, use of the term “outputdevice” is intended to include all possible types of devices andmechanisms for outputting information from the device system 900. Theoutput device(s) 914 may be used, for example, to present userinterfaces to facilitate user interaction with applications performingprocesses described herein and variations therein, when such interactionmay be appropriate. While a device 900 with user interface outputdevices is used for the purpose of illustration, it should be noted thatthe device 900 may operate without an output device, such as when thedevice 900 is operated in a server rack and, during typical operation,an output device is not needed.

The storage subsystem 906 may provide a computer-readable storage mediumfor storing the basic programming and data constructs that may providethe functionality of at least one embodiment of the present disclosure.The applications (programs, code modules (i.e., programming modules),instructions) that, when executed by one or more processors, may providethe functionality of one or more embodiments of the present disclosure,may be stored in the storage subsystem 906. These application modules orinstructions may be executed by the one or more processors 902. Thestorage subsystem 906 may additionally provide a repository for storingdata used in accordance with the present disclosure. The storagesubsystem 906 may comprise a memory subsystem 908 and a file/diskstorage subsystem 910.

The cryptographic module 924, which may be a trusted platform module(TPM), includes a memory subsystem 930, including a main random accessmemory (RAM) 928 for storage of instructions and data during programexecution and a read only memory (ROM) 926, in which fixed cryptographicinformation may be stored, such as a hardware secret stored securelywithin the device 900 so as to be non-exportable (i.e., inaccessiblethrough any call to the cryptographic module 924). The cryptographicmodule 924, in some embodiments, operates wholly or partly in compliancewith Trusted Computing Group's TPM Main Specification level 2, Version1.2, Revision 116, TPM Main Specification level 2, Version 1.2, Revision103 and/or ISO/IEC 11889, which are incorporated herein by reference.The device 900 may also store cryptographic keys in RAM 928 and/orprocessor registers for temporary cryptographic processing. Thecryptographic information stored in memory may be used in combinationwith cryptographic information obtained via the network interface 916and/or one or more of the user interface input devices 912. The one ormore cryptographic processors may be used to perform cryptographicoperations in the device and may include a random number generator,SHA-2 or other hash generator and an encryption-decryption-signatureengine.

The one or more cryptographic processors may also be configured toperform one or more encryption/decryption algorithms in accordance withone or more cryptographic algorithms, such as public key and/or privatekey cryptographic algorithms. For example, as discussed, numerousvariations utilize symmetric and/or asymmetric cryptographic primitives.Symmetric key algorithms may include various schemes for performingcryptographic operations on data including block ciphers, stream ciphersand digital signature schemes. Example symmetric key algorithms include,but are not limited to, the advanced encryption standard (AES), the dataencryption standard (DES), triple DES (3DES), Serpent, Twofish,blowfish, CASTS, RC4 and the international data encryption algorithm(IDEA). Symmetric key algorithms may also include those used to generateoutput of one way functions and include, but are not limited toalgorithms that utilize hash-based message authentication codes (HMACs),message authentication codes (MACs) in general, PBKDF2 and Bcrypt.Asymmetric key algorithms may also include various schemes forperforming cryptographic operations on data. Example algorithms include,but are not limited to those that utilize the Diffie-Hellman keyexchange protocol, the digital signature standard (DSS), the digitalsignature algorithm, the ElGamal algorithm, various elliptic curvealgorithms, password-authenticated key agreement techniques, the palliercryptosystem, the RSA encryption algorithm (PKCS#1), the Cramer-Shoupcryptosystem, the YAK authenticated key agreement protocol, theNTRUEncrypt cryptosystem, the McEliece cryptosystem, and others.Elliptic curve algorithms include the elliptic curve Diffie-Hellman(ECDH) key agreement scheme, the Elliptic Curve Integrated EncryptionScheme (ECIES), the Elliptic Curve Digital Signature Algorithm (ECDSA),the ECMQV key agreement scheme and the ECQV implicit certificate scheme.Other algorithms and combinations of algorithms are also considered asbeing within the scope of the present disclosure. Generally, one or morecomponents of the cryptographic module 924 may be configured tocollectively perform various operations used generatingcryptographically verifiable information for authentication objects.

As noted above, in various embodiments of the present disclosure,hardware secrets are securely stored within the cryptographic module924. In some embodiments, the cryptographic module is implemented as ormay contain a physically unclonable function (PUF), which is a functionimplemented in physical hardware to use one or more hardware secretsthat are based at least in part on physical characteristics of the PUF.As a result, any attempt to obtain a hardware secret may requirephysical intrusion into the PUF and physical intrusion may alter thephysical characteristics of the PUF, thereby destroying the hardwaresecret. Example PUFs that may be used include PUFs usingexplicitly-introduced randomness, optical PUFs, coating PUFs, PUFs usingintrinsic randomness, delay PUFs, static random access memory (SRAM)PUFs, butterfly PUFs, bistable ring PUFs, magnetic PUFs, metalresistance PUFs and/or other devices whose physical characteristicsencode information usable as or for a hardware secret.

FIG. 10 illustrates aspects of an example environment 1000 forimplementing aspects in accordance with various embodiments. As will beappreciated, although a web-based environment is used for purposes ofexplanation, different environments may be used, as appropriate, toimplement various embodiments. The environment includes an electronicclient device 1002, which can include any appropriate device operable tosend and/or receive requests, messages or information over anappropriate network 1004 and, in some embodiments, convey informationback to a user of the device. Examples of such client devices includepersonal computers, cell phones, handheld messaging devices, laptopcomputers, tablet computers, set-top boxes, personal data assistants,embedded computer systems, electronic book readers and the like. Thenetwork can include any appropriate network, including an intranet, theInternet, a cellular network, a local area network, a satellite networkor any other such network and/or combination thereof. Components usedfor such a system can depend at least in part upon the type of networkand/or environment selected. Protocols and components for communicatingvia such a network are well known and will not be discussed herein indetail. Communication over the network can be enabled by wired orwireless connections and combinations thereof. In this example, thenetwork includes the Internet, as the environment includes a web server1006 for receiving requests and serving content in response thereto,although for other networks an alternative device serving a similarpurpose could be used as would be apparent to one of ordinary skill inthe art.

The illustrative environment includes at least one application server1008 and a data store 1010. It should be understood that there can beseveral application servers, layers or other elements, processes orcomponents, which may be chained or otherwise configured, which caninteract to perform tasks such as obtaining data from an appropriatedata store. Servers, as used herein, may be implemented in various ways,such as hardware devices or virtual computer systems. In some contexts,servers may refer to a programming module being executed on a computersystem. As used herein, unless otherwise stated or clear from context,the term “data store” refers to any device or combination of devicescapable of storing, accessing and retrieving data, which may include anycombination and number of data servers, databases, data storage devicesand data storage media, in any standard, distributed, virtual orclustered environment. The application server can include anyappropriate hardware, software and firmware for integrating with thedata store as needed to execute aspects of one or more applications forthe client device, handling some or all of the data access and businesslogic for an application. The application server may provide accesscontrol services in cooperation with the data store and is able togenerate content including, but not limited to, text, graphics, audio,video and/or other content usable to be provided to the user, which maybe served to the user by the web server in the form of HyperText MarkupLanguage (“HTML”), Extensible Markup Language (“XML”), JavaScript,Cascading Style Sheets (“CSS”) or another appropriate client-sidestructured language. Content transferred to a client device may beprocessed by the client device to provide the content in one or moreforms including, but not limited to, forms that are perceptible to theuser audibly, visually and/or through other senses including touch,taste, and/or smell. The handling of all requests and responses, as wellas the delivery of content between the client device 1002 and theapplication server 1008, can be handled by the web server using PHP:Hypertext Preprocessor (“PHP”), Python, Ruby, Perl, Java, HTML, XML oranother appropriate server-side structured language in this example. Itshould be understood that the web and application servers are notrequired and are merely example components, as structured code discussedherein can be executed on any appropriate device or host machine asdiscussed elsewhere herein. Further, operations described herein asbeing performed by a single device may, unless otherwise clear fromcontext, be performed collectively by multiple devices, which may form adistributed and/or virtual system.

The data store 1010 can include several separate data tables, databases,data documents, dynamic data storage schemes and/or other data storagemechanisms and media for storing data relating to a particular aspect ofthe present disclosure. For example, the data store illustrated mayinclude mechanisms for storing production data 1012 and user information1016, which can be used to serve content for the production side. Thedata store also is shown to include a mechanism for storing log data1014, which can be used for reporting, analysis or other such purposes.It should be understood that there can be many other aspects that mayneed to be stored in the data store, such as page image information andaccess rights information, which can be stored in any of the abovelisted mechanisms as appropriate or in additional mechanisms in the datastore 1010. The data store 1010 is operable, through logic associatedtherewith, to receive instructions from the application server 1008 andobtain, update or otherwise process data in response thereto. Theapplication server 1008 may provide static, dynamic or a combination ofstatic and dynamic data in response to the received instructions.Dynamic data, such as data used in web logs (blogs), shoppingapplications, news services and other such applications may be generatedby server-side structured languages as described herein or may beprovided by a content management system (“CMS”) operating on, or underthe control of, the application server. In one example, a user, througha device operated by the user, might submit a search request for acertain type of item. In this case, the data store might access the userinformation to verify the identity of the user and can access thecatalog detail information to obtain information about items of thattype. The information then can be returned to the user, such as in aresults listing on a web page that the user is able to view via abrowser on the user device 1002. Information for a particular item ofinterest can be viewed in a dedicated page or window of the browser. Itshould be noted, however, that embodiments of the present disclosure arenot necessarily limited to the context of web pages, but may be moregenerally applicable to processing requests in general, where therequests are not necessarily requests for content.

Each server typically will include an operating system that providesexecutable program instructions for the general administration andoperation of that server and typically will include a computer-readablestorage medium (e.g., a hard disk, random access memory, read onlymemory, etc.) storing instructions that, when executed by a processor ofthe server, allow the server to perform its intended functions. Suitableimplementations for the operating system and general functionality ofthe servers are known or commercially available and are readilyimplemented by persons having ordinary skill in the art, particularly inlight of the disclosure herein.

The environment, in one embodiment, is a distributed and/or virtualcomputing environment utilizing several computer systems and componentsthat are interconnected via communication links, using one or morecomputer networks or direct connections. However, it will be appreciatedby those of ordinary skill in the art that such a system could operateequally well in a system having fewer or a greater number of componentsthan are illustrated in FIG. 10. Thus, the depiction of the system 1000in FIG. 10 should be taken as being illustrative in nature and notlimiting to the scope of the disclosure.

The various embodiments further can be implemented in a wide variety ofoperating environments, which in some cases can include one or more usercomputers, computing devices or processing devices which can be used tooperate any of a number of applications. User or client devices caninclude any of a number of general purpose personal computers, such asdesktop, laptop or tablet computers running a standard operating system,as well as cellular, wireless and handheld devices running mobilesoftware and capable of supporting a number of networking and messagingprotocols. Such a system also can include a number of workstationsrunning any of a variety of commercially-available operating systems andother known applications for purposes such as development and databasemanagement. These devices also can include other electronic devices,such as dummy terminals, thin-clients, gaming systems and other devicescapable of communicating via a network. These devices also can includevirtual devices such as virtual machines, hypervisors and other virtualdevices capable of communicating via a network.

Various embodiments of the present disclosure utilize at least onenetwork that would be familiar to those skilled in the art forsupporting communications using any of a variety ofcommercially-available protocols, such as Transmission ControlProtocol/Internet Protocol (“TCP/IP”), User Datagram Protocol (“UDP”),protocols operating in various layers of the Open System Interconnection(“OSI”) model, File Transfer Protocol (“FTP”), Universal Plug and Play(“UpnP”), Network File System (“NFS”), Common Internet File System(“CIFS”) and AppleTalk. The network can be, for example, a local areanetwork, a wide-area network, a virtual private network, the Internet,an intranet, an extranet, a public switched telephone network, aninfrared network, a wireless network, a satellite network and anycombination thereof.

In embodiments utilizing a web server, the web server can run any of avariety of server or mid-tier applications, including Hypertext TransferProtocol (“HTTP”) servers, FTP servers, Common Gateway Interface (“CGI”)servers, data servers, Java servers, Apache servers and businessapplication servers. The server(s) also may be capable of executingprograms or scripts in response to requests from user devices, such asby executing one or more web applications that may be implemented as oneor more scripts or programs written in any programming language, such asJava®, C, C# or C++, or any scripting language, such as Ruby, PHP, Perl,Python or TCL, as well as combinations thereof. The server(s) may alsoinclude database servers, including without limitation thosecommercially available from Oracle®, Microsoft®, Sybase® and IBM® aswell as open-source servers such as MySQL, Postgres, SQLite, MongoDB,and any other server capable of storing, retrieving and accessingstructured or unstructured data. Database servers may includetable-based servers, document-based servers, unstructured servers,relational servers, non-relational servers or combinations of theseand/or other database servers.

The environment can include a variety of data stores and other memoryand storage media as discussed above. These can reside in a variety oflocations, such as on a storage medium local to (and/or resident in) oneor more of the computers or remote from any or all of the computersacross the network. In a particular set of embodiments, the informationmay reside in a storage-area network (“SAN”) familiar to those skilledin the art. Similarly, any necessary files for performing the functionsattributed to the computers, servers or other network devices may bestored locally and/or remotely, as appropriate. Where a system includescomputerized devices, each such device can include hardware elementsthat may be electrically coupled via a bus, the elements including, forexample, at least one central processing unit (“CPU” or “processor”), atleast one input device (e.g., a mouse, keyboard, controller, touchscreen or keypad) and at least one output device (e.g., a displaydevice, printer or speaker). Such a system may also include one or morestorage devices, such as disk drives, optical storage devices andsolid-state storage devices such as random access memory (“RAM”) orread-only memory (“ROM”), as well as removable media devices, memorycards, flash cards, etc.

Such devices also can include a computer-readable storage media reader,a communications device (e.g., a modem, a network card (wireless orwired), an infrared communication device, etc.) and working memory asdescribed above. The computer-readable storage media reader can beconnected with, or configured to receive, a computer-readable storagemedium, representing remote, local, fixed and/or removable storagedevices as well as storage media for temporarily and/or more permanentlycontaining, storing, transmitting and retrieving computer-readableinformation. The system and various devices also typically will includea number of software applications, modules, services or other elementslocated within at least one working memory device, including anoperating system and application programs, such as a client applicationor web browser. It should be appreciated that alternate embodiments mayhave numerous variations from that described above. For example,customized hardware might also be used and/or particular elements mightbe implemented in hardware, software (including portable software, suchas applets) or both. Further, connection to other computing devices suchas network input/output devices may be employed.

Storage media and computer readable media for containing code, orportions of code, can include any appropriate media known or used in theart, including storage media and communication media, such as, but notlimited to, volatile and non-volatile, removable and non-removable mediaimplemented in any method or technology for storage and/or transmissionof information such as computer readable instructions, data structures,program modules or other data, including RAM, ROM, Electrically ErasableProgrammable Read-Only Memory (“EEPROM”), flash memory or other memorytechnology, Compact Disc Read-Only Memory (“CD-ROM”), digital versatiledisk (DVD) or other optical storage, magnetic cassettes, magnetic tape,magnetic disk storage or other magnetic storage devices or any othermedium which can be used to store the desired information and which canbe accessed by the system device. Based on the disclosure and teachingsprovided herein, a person of ordinary skill in the art will appreciateother ways and/or methods to implement the various embodiments.

The specification and drawings are, accordingly, to be regarded in anillustrative rather than a restrictive sense. It will, however, beevident that various modifications and changes may be made thereuntowithout departing from the broader spirit and scope of the invention asset forth in the claims.

Other variations are within the spirit of the present disclosure. Thus,while the disclosed techniques are susceptible to various modificationsand alternative constructions, certain illustrated embodiments thereofare shown in the drawings and have been described above in detail. Itshould be understood, however, that there is no intention to limit theinvention to the specific form or forms disclosed, but on the contrary,the intention is to cover all modifications, alternative constructionsand equivalents falling within the spirit and scope of the invention, asdefined in the appended claims.

The use of the terms “a” and “an” and “the” and similar referents in thecontext of describing the disclosed embodiments (especially in thecontext of the following claims) are to be construed to cover both thesingular and the plural, unless otherwise indicated herein or clearlycontradicted by context. The terms “comprising,” “having,” “including”and “containing” are to be construed as open-ended terms (i.e., meaning“including, but not limited to,”) unless otherwise noted. The term“connected,” when unmodified and referring to physical connections, isto be construed as partly or wholly contained within, attached to orjoined together, even if there is something intervening. Recitation ofranges of values herein are merely intended to serve as a shorthandmethod of referring individually to each separate value falling withinthe range, unless otherwise indicated herein and each separate value isincorporated into the specification as if it were individually recitedherein. The use of the term “set” (e.g., “a set of items”) or “subset”unless otherwise noted or contradicted by context, is to be construed asa nonempty collection comprising one or more members. Further, unlessotherwise noted or contradicted by context, the term “subset” of acorresponding set does not necessarily denote a proper subset of thecorresponding set, but the subset and the corresponding set may beequal.

Conjunctive language, such as phrases of the form “at least one of A, B,and C,” or “at least one of A, B and C,” unless specifically statedotherwise or otherwise clearly contradicted by context, is otherwiseunderstood with the context as used in general to present that an item,term, etc., may be either A or B or C, or any nonempty subset of the setof A and B and C. For instance, in the illustrative example of a sethaving three members, the conjunctive phrases “at least one of A, B, andC” and “at least one of A, B and C” refer to any of the following sets:{A}, {B}, {C}, {A, B}, {A, C}, {B, C}, {A, B, C}. Thus, such conjunctivelanguage is not generally intended to imply that certain embodimentsrequire at least one of A, at least one of B and at least one of C eachto be present.

Operations of processes described herein can be performed in anysuitable order unless otherwise indicated herein or otherwise clearlycontradicted by context. Processes described herein (or variationsand/or combinations thereof) may be performed under the control of oneor more computer systems configured with executable instructions and maybe implemented as code (e.g., executable instructions, one or morecomputer programs or one or more applications) executing collectively onone or more processors, by hardware or combinations thereof. The codemay be stored on a computer-readable storage medium, for example, in theform of a computer program comprising a plurality of instructionsexecutable by one or more processors. The computer-readable storagemedium may be non-transitory.

The use of any and all examples, or exemplary language (e.g., “such as”)provided herein, is intended merely to better illuminate embodiments ofthe invention and does not pose a limitation on the scope of theinvention unless otherwise claimed. No language in the specificationshould be construed as indicating any non-claimed element as essentialto the practice of the invention.

Embodiments of this disclosure are described herein, including the bestmode known to the inventors for carrying out the invention. Variationsof those embodiments may become apparent to those of ordinary skill inthe art upon reading the foregoing description. The inventors expectskilled artisans to employ such variations as appropriate and theinventors intend for embodiments of the present disclosure to bepracticed otherwise than as specifically described herein. Accordingly,the scope of the present disclosure includes all modifications andequivalents of the subject matter recited in the claims appended heretoas permitted by applicable law. Moreover, any combination of theabove-described elements in all possible variations thereof isencompassed by the scope of the present disclosure unless otherwiseindicated herein or otherwise clearly contradicted by context.

All references, including publications, patent applications and patents,cited herein are hereby incorporated by reference to the same extent asif each reference were individually and specifically indicated to beincorporated by reference and were set forth in its entirety herein.

What is claimed is:
 1. A computer-implemented method, comprising: underthe control of one or more computer systems configured with executableinstructions, determining a first device configured to provideauthentication information for an authentication claim sufficient toauthenticate an identity with a service provider system; obtaining, fromthe first device, authentication information; as a result of obtainingthe authentication information from the first device, providing agraphical user interface that makes available for selection, on a seconddevice, a plurality of graphical representations of sets of actions forauthenticating with corresponding service provider systems, theplurality of graphical representations comprising a graphicalrepresentation that represents a set of actions for authenticating theidentity with the service provider system; receiving, from a user inputdevice associated with the second device, user input indicating a userselection of the graphical representation from the plurality ofgraphical representations and a request to authenticate with the serviceprovider system; and as a result of receiving the user input indicatingthe selection, performing the set of actions by at least: obtaining theauthentication claim, the authentication claim based at least in part onthe authentication information from the first device; and providing theobtained authentication claim to the service provider system so that theservice provider system authenticates the identity using theauthentication claim.
 2. The computer-implemented method of claim 1,wherein the computer-implemented method further includes, as a result ofreceiving the user input indicating the selection, obtaining, from thefirst device, a cryptographically verifiable attestation to a state of acomputing environment associated with the first device.
 3. Thecomputer-implemented method of claim 2, wherein obtaining thecryptographically verifiable attestation to the state of the computingenvironment associated with the first device further includes capturing,with one or more sensors of the first computing device, informationcorresponding to the state of the computing environment associated withthe first device.
 4. The computer-implemented method of claim 1, whereinobtaining the authentication claim includes generating theauthentication claim based at least in part on the obtainedauthentication information.
 5. A system, comprising: one or morecomputing devices including a processor and memory, the memory includingexecutable instructions that, when executed by the one or moreprocessors, cause the system to: provide a set of representations ofauthentication claims for selection via an interface of a firstcomputing device of the one or more computing devices, the set ofrepresentations including a representation of an authentication claimthat corresponds to a set of actions performable to provide aconfirmation to a service provider system; receive information encodinga selection, by a user operating the first computing device, of arepresentation from the set of representations provided via theinterface; receive authentication information associated with a secondcomputing device of the one or more computing devices; for the selectedrepresentation, generate the authentication claim corresponding to theselected representation based at least in part on the receivedauthentication information; and provide the authentication claim tofacilitate performance of an operation involving interaction with theservice provider system.
 6. The system of claim 5, wherein the memoryfurther includes instructions that, when executed by the one or moreprocessors, cause the system to determine the operation of at least oneof the one or more computing devices further requires authenticationwith the service provider system.
 7. The system of claim 5, wherein thefirst computing device performs the set of actions corresponding to theselected representation to obtain the authentication claim.
 8. Thesystem of claim 5, wherein the second computing device provides theobtained authentication claim to the first computing device usingshort-range communications.
 9. The system of claim 5, wherein the set ofactions includes capturing information corresponding to a physicalenvironment associated with the second computing device using one ormore sensors of the system.
 10. The system of claim 9, wherein capturinginformation corresponding to the physical environment includes capturingone or more images of at least a portion of a user operating the secondcomputing device.
 11. The system of claim 5, wherein the set of actionsincludes obtaining an attestation to a state of a computing environmentassociated with the second computing device.
 12. The system of claim 11,wherein the attestation to the state of the computing environmentassociated with the second computing device is cryptographicallyverifiable.
 13. A non-transitory computer-readable storage medium havingstored thereon executable instructions that, when executed by one ormore processors of a first computer system, cause the first computersystem to at least: obtain an attestation to a state of a computingenvironment associated with a second computer system corresponding to arequest for additional authentication information, the attestationobtained as a result of an input received through a user interface ofthe second computer system; cause, based at least in part on theattestation, a graphical user interface to be displayed such that thegraphical user interface makes available for selection a plurality ofgraphical representations of authentication claims, the plurality ofgraphical representations associated with a representation of anauthentication claim corresponding to a set of actions forauthenticating an identity of a user with a service provider system;obtain the authentication claim based at least in part on a selection ofat least one of the plurality of graphical representations ofauthentication claims received through the graphical user interface; andaccess one or more services of a service provider system based at leastin part on the authentication claim.
 14. The non-transitorycomputer-readable storage medium of claim 13, wherein: the request foradditional authentication information includes prompting the secondcomputer system to display an indication of one or more user actions toperform in order to confirm an operation of the first computer system;and the attestation includes an indication corresponding to the one ormore user actions performed via an interface of the second computersystem.
 15. The non-transitory computer-readable storage medium of claim14, wherein the instructions that cause the first computer system toprompt the second computer system to display the indication furthercomprise instructions that, when executed by the one or more processors,cause the second computer system to output a pattern of light detectableby one or more sensors of the second computer system.
 16. Thenon-transitory computer-readable storage medium of claim 13, wherein theinstructions further comprise instructions that, when executed by theone or more processors, cause the first computer system to provide theattestation and the authentication claim to a service provider computersystem such that the attestation and authentication claim enable thefirst computer system to access a service of the service providercomputer system.
 17. The non-transitory computer-readable storage mediumof claim 13, wherein the instructions further comprise instructionsthat, when executed by the one or more processors, cause the firstcomputer system to generate the authentication claim to includeinformation contained in the attestation.
 18. The non-transitorycomputer-readable storage medium of claim 13, wherein the instructionsfurther comprise instructions that, when executed by the one or moreprocessors, cause the first computer system to: receive, from theservice provider system, an indication that additional authenticationinformation is required to complete one or more operations attempted bythe first computer system; and determine the second computer systemcapable of providing additional authentication information in order totransmit the request to the second computer system.
 19. Thenon-transitory computer-readable storage medium of claim 13, wherein theattestation includes data obtain information from one or more sensors ofthe second computer system corresponding to the state of the computingenvironment associated with the first computer system.
 20. Thenon-transitory computer-readable storage medium of claim 19, wherein theattestation includes biometric information obtained from the one or moresensors of the second computer system.